Setting Cross-Origin Access

Last updated: 2020-09-28 10:31:35


    You can set Cross Origin Resource Sharing(CORS) for objects in buckets through the COS Console. COS supports configuring multiple rules to respond to OPTIONS requests. CORS is a mechanism that allows resources at one origin to be requested from another origin through HTTP requests. Origins are deemed different from each other as long as their protocols, domain names or ports are different.

    COS can respond to an OPTIONS request for cross-origin access, and return the cross-origin access configuration to the browser based on your CORS rule. However, the server does not check whether the subsequent actual cross-origin request meets the rule. For more details, see Cross-Origin Resource Sharing (CORS) and Setting Cross-Origin Access.


    1. Log in to the COS Console, and then select the Bucket List in the left pane to go to the Bucket List page. Click the bucket of the object for which you want to set CORS to enter the bucket.

    2. Go to Safety management > CORS (Cross-Origin Resource Sharing) Setting, and click Add a Rule.

    3. Add rule information (Fields with * are required). Configuration items are as follows:

      Source Origin: The domain names allowed for cross-origin requests.

      • More than one domain name can be specified, with one domain name per line.
      • Wildcard * is supported, which means all domain names are allowed. Not recommended.
      • A single specific domain name is supported, such as
      • Second-level wildcard domain names are supported, such as http://* Only one second-level wildcard domain name with only one * in it is allowed per line.
      • Do not omit protocol name HTTP or HTTPS, and specify the port if the port is not default 80.

      Operating Methods: GET, PUT, POST, DELETE, and HEAD are supported. Enumeration of one or more methods is allowed for a cross-domain request.

      Allow-Headers: Allow-Header is used to notify the server about which custom HTTP request headers are allowed for subsequent requests when an OPTIONS request is sent, such as x-cos-meta-md5.

      • More than one header can be specified, with one header per line.
      • Header is easy to be omitted, so it is recommended to set this field to * to indicate that all headers are allowed if there is no special requirement.
      • Uppercase and lowercase letters [a-z, A-Z] are supported, and no underscores (_) are allowed.
      • Each header specified in Access-Control-Request-Headers must also be provided in Allowed-Header.

      Expose-Headers: Expose-Header returns a common header for COS. For more information, see the Common Request Headers. The configuration should be specific to the requirements of application. Etag is recommended. Wildcard is not allowed. Headers are case insensitive, with one header per line.

      Timeout Max-Age: Sets the validity period (in seconds) of the results obtained by OPTIONS. The value must be a positive integer, such as 600.

    4. After configuration, click Submit and you will see the CORS rules added. To modify it, click the Modify button.